php file upload type

Question

I'm trying to upload a zip file and a csv file from HTML form.

On PHP, When I printed $_FILES (Actually $request->getFiles() in symfony), I got following.

Array
(
    [zipfile] => Array
        (
            [name] => tempfiles.zip
            [type] => application/octet-stream
            [tmp_name] => C:\wamp\tmp\php5D42.tmp
            [error] => 0
            [size] => 850953
        )
    [csvfile] => Array
        (
            [name] => test.csv
            [type] => application/vnd.ms-excel
            [tmp_name] => C:\wamp\tmp\php5D52.tmp
            [error] => 0
            [size] => 312
        )
)

I'm wondering with the type and tmp_name. I need to take few decisions based on type. Is it safe to take decisions on existing type? Will I get same result for similar files on Linux server?

Again tmp_name have .tmp extension. Is it consistent on both windows/linux? If not, is there any way that the code I write on windows (decision using type) will work on linux without any issue?

Very related: [Security threats with uploads](http://stackoverflow.com/questions/11061355/security-threats-with-uploads/) — deceze, Sep 25 '12 at 09:40
@deceze Sorry but not related. Although I thank you for the good link. I'll definitely go through them in details but my current code code is for admin panel of my site. Thus I'm more concerned about functionality rather than security. Security/best practice is not a question here but making sure it work on both windows/linux. — Kapil Sharma, Sep 25 '12 at 09:48

score 3 · Accepted Answer · answered Sep 25 '12 at 09:47

3

Using this type can be dangerous Because user can change the type of the files and can upload a php script.

You should validate the type first just like get_image_size() to validate a image file.I have no idea about .zip file

answered Sep 25 '12 at 09:47

StaticVariable

5,253
4
23
45

Thanks for the hint. If image should be tested through get_image_size, zip file can be tested through zip_open(). – Kapil Sharma Sep 25 '12 at 10:08

score 2 · Answer 2 · answered Sep 25 '12 at 09:42

2

It is not safe to trust the type form $_FILES, you need to validate the file type in server side.

For .tmp extension, it is ok both on windows or linux.

answered Sep 25 '12 at 09:42

xdazz

158,678
38
247
274

The `tmp_name` is not guaranteed to end in `.tmp` on every system. – deceze Sep 25 '12 at 09:44
@deceze That's true, no matter the extension is, it won't be the problem, anyway, the extension name should not be hardcoded. – xdazz Sep 25 '12 at 09:47

php file upload type

2 Answers2